Microsoft released three security bulletins for the month of May:

MS06-018--Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)

MS06-019--Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)

MS06-020--Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (913433)

I agree with Microsoft's severity rating on all three bulletins. MS06-019 deals with a critical vulnerability in Microsoft Exchange 200 Server and Microsoft Exchange Server 2003 in which a malformed appointment request can give an attacker complete control of the Exchange server.

The other critical vulnerability, MS06-020, isn't actually in a Microsoft product but is in the Adobe Systems Flash Player that Microsoft redistributes in Microsoft Internet Explorer (IE). (Customers that have followed the guidance in Adobe Security Bulletin APSB06-03 are not at risk from the Flash Player vulnerability.) Both the MS06-019 and MS06-020 vulnerabilities are quite serious, and I recommend that you deploy the patches as soon as possible after moderate testing.

The third bulletin deals with a Denial of Service (DoS) vulnerability in Distributed Transaction Coordinator and won't be a priority for most folks.

For my complete coverage of all three vulnerabilities see http://www.ultimateWindowsSecurity.com/news